From f2f2e7627f0c878d13275af5d166ec5932665e28 Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Sun, 22 Jun 2014 13:19:36 -0400
Subject: [PATCH] Check mp3 header before calling
 avpriv_mpegaudio_decode_header().

As indicated in the function documentation, the header MUST be
checked prior to calling it because no consistency check is done
there.

CC:libav-stable@libav.org
---
 libavcodec/libmp3lame.c |  8 +++++++-
 libavformat/mp3enc.c    | 15 +++++++++------
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c
index eebc65c44d..dee1909609 100644
--- a/libavcodec/libmp3lame.c
+++ b/libavcodec/libmp3lame.c
@@ -182,6 +182,7 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
     MPADecodeHeader hdr;
     int len, ret, ch;
     int lame_result;
+    uint32_t h;
 
     if (frame) {
         switch (avctx->sample_fmt) {
@@ -237,7 +238,12 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
        determine the frame size. */
     if (s->buffer_index < 4)
         return 0;
-    if (avpriv_mpegaudio_decode_header(&hdr, AV_RB32(s->buffer))) {
+    h = AV_RB32(s->buffer);
+    if (ff_mpa_check_header(h) < 0) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid mp3 header at start of buffer\n");
+        return AVERROR_BUG;
+    }
+    if (avpriv_mpegaudio_decode_header(&hdr, h)) {
         av_log(avctx, AV_LOG_ERROR, "free format output not supported\n");
         return -1;
     }
diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c
index 932625864f..476d7f71cb 100644
--- a/libavformat/mp3enc.c
+++ b/libavformat/mp3enc.c
@@ -252,13 +252,16 @@ static int mp3_write_audio_packet(AVFormatContext *s, AVPacket *pkt)
 
     if (mp3->xing_offset && pkt->size >= 4) {
         MPADecodeHeader c;
+        uint32_t h;
 
-        avpriv_mpegaudio_decode_header(&c, AV_RB32(pkt->data));
-
-        if (!mp3->initial_bitrate)
-            mp3->initial_bitrate = c.bit_rate;
-        if ((c.bit_rate == 0) || (mp3->initial_bitrate != c.bit_rate))
-            mp3->has_variable_bitrate = 1;
+        h = AV_RB32(pkt->data);
+        if (ff_mpa_check_header(h) == 0) {
+            avpriv_mpegaudio_decode_header(&c, h);
+            if (!mp3->initial_bitrate)
+                mp3->initial_bitrate = c.bit_rate;
+            if ((c.bit_rate == 0) || (mp3->initial_bitrate != c.bit_rate))
+                mp3->has_variable_bitrate = 1;
+        }
 
         mp3_xing_add_frame(mp3, pkt);
     }